Some common elements to events are worth pointing out. Those elements have been removed from the events below, only leaving
the information unique to the event. The actual event stream will contain much more information for each event.

routing/this is a UUID generated for every event in the sensor.

routing/parent is a reference to the parent event's routing/this, providing strong relationships (much more reliable than simple process IDs)
between the events. This allows you to get the extremely powerful explorer view.

routing/event_time is the time (UTC) the sensor produced the event.

routing/hostname is the hostname of where the event came from.

routing/tags is the list of tags associated with the agent where the event came from.

Atoms are Globally Unique Identifiers that look like this: 1e9e242a512d9a9b16d326ac30229e7b. You can treat it as an opaque value. These unique values
are used to relate events together without the need to use clunky and unreliable things like Process IDs.

The routing/this Atom reprents the indentifier for the current event. The routing/parent Atom in an event tells you the global identifier for the
parent event of the current event. Using these two Atoms, you can create an entire chain of event.

For processes, this parent relationship is simply the parent process and child process (parent spawned child), but for other less obvious events, the
nature of relationship varies. For example for a NETWORK_SUMMARY event, the parent is the process that generated the network connections.

Depending on the exact storage and searching solution you are using, you will likely want to index the values of routing/this and routing/parent for
each event, doing so will allow you to very quickly find the root cause and actions of everything on your hosts.

Finally, the routing/target is only sometimes found in an event, and it represents a second related (without having a parent-child relationship). For
example, in the NEW_REMOTE_THREAD event, this target represents the process where the remote thread was created.

This event is used as a generic response to some commands. It usually
contains an ERROR code that you can use to determine if the command
was successful. It's often a good idea to issue the original command
with an investigation_id which will get echoed in the RECEIPT related
to that command to make it easier to track.

Generated from DNS responses and therefore includes both the
requested domain and the response from the server. If the server responds
with multiple responses as allowed by the DNS protocol, the N answers will
become N DNS_REQUEST events, so you can always assume one DNS_REQUEST event
means one answer.

Unique combinations of file hash and file path. Event is emitted the first time
the combination is seen. Therefore it's a great event to look for hashes without being
overwhelmed by process execution or module loads.

Generated either when a process exits or when a process has established 10 network
connections. This event combines process information with the first 10 network connections
it has done. It is a way to generated detections on process/network information without
sending home all network events all the time which is a lot of data.

Generated on a Windows system when a thread is created by a process in another process.
This is a characteristic often used by malware during various forms of code injection.

In this case, the process id 492 created a thread (with id 9012) in the process id 7944.
The parent process is also globally uniquely identified by the routing/parent and the process
where the thread was started is globally uniquely identified by the routing/target (not visible here).

This event is generated whenever a process opens a handle to another process with one
of the following access flags: VM_READ, VM_WRITE or PROCESS_CREATE_THREAD. Only
available on Windows OS. A routing/target is also populated in the event as the globally
unique identifier of the target process.

Sensor clone events are generated when the LimaCharlie Cloud detects that a specific Sensor ID may have been cloned.
Cloning means the same SID is associated with two different hosts at the same time. This is most often due to
a machine image being created with a LC sensor installed on it, and then being deployed multiple times.